It is only in the past 10 years or so that banks and mortgage lenders have faced heightened risk from wire fraud losses. In this time period, lenders have been forced to uncover and defend the widespread use of various cyber schemes, including basic phishing, using mass-market emails; spear phishing, using cyber intrusion tactics to go after specific targets; whaling, using email schemes to target key owners and managers (C-level employees); or business email compromise (BEC), where intruders pretend to be the CEO or CFO.
More recently the use of artificial intelligence (AI) is being used to create "deep fakes," AI-generated videos, images, or audio recordings that convincingly mimic real people’s faces, voices, or actions, often making it appear as though someone said or did something they never actually did, such as authorize a wire to the wrong recipient.
These schemes all have one purpose: to disrupt operations by gaining access to internal communications and data, with the intention of causing financial harm.
Due to the relatively uncontrolled nature of communications surrounding the closing of mortgage loans, where many different parties come together to close a transaction, the ability of cyber criminals to infiltrate and cause havoc is a continued threat. It is very difficult for lenders to manage the security of information and data being transferred among so many varied parties: the borrower, seller's attorney, settlement agent, real estate agent, and others, such as property inspectors and appraisers.
Best practices, which are required by financial regulators and by some state data privacy and security statutes (i.e. New York and California come to mind) should include:
- Ensuring all employees use encrypted email tools when transmitting confidential borrower and transaction data;
- Prohibiting employees (many of whom are not working from home) from using personal emails and from storing lender and borrower data and documents on unprotected local servers;
- Requiring sterile home work environments, protecting sensitive consumer and financial information from the prying eyes of anyone without a need to access such information, including family members, neighbors, and guests;
- Training employees on identifying email phishing schemes, especially whaling schemes, so that they do not inadvertently allow bad actors in through the "front door;"
- Educating consumers about phishing schemes and how they may impact their transaction, especially through attacks on their personal email accounts;
- Insisting that all transaction partners verify any wire instructions and adopt a red flag policy whenever wire instructions change abruptly in the midst of a transaction;
- Adopting password protection policies that require all employees to change access passwords to all systems on a regular basis;
- Educating staff about "deep fakes" and the deceptive use of AI to create a false impression of an approved yet harmful business decision;
- Conducting (or outsourcing) system security checks, including penetration checks to expose any weaknesses and vulnerabilities in your technology systems; and
- Employing a robust vendor management risk assessment and monitoring program to make sure that outsiders whom you allow to access your consumer and financial data (a) are who they say they are, (b) are low risk actors, (c) employ their own internal controls managing their employees and systems, and where they are receiving proceeds (d) have verified trust accounts.
If you are like me, the idea of mortgage fraud keeps me up at night. Check back here each month to learn more about my restless nights.
